Chapter 8 IPS IDP - same thing for Juniper

One IDP policy per the whole device.
You can have many policies but only ONE is active.

Rulebase   and a rulebase for exempt.

Ok.
One IDP policy can be active only.
That is the start.

Set security idp  active-policy      idp_policy_name

Ok.

That will be the active policy for the whole of the SRX.

Now.
IPS IDP takes resources like CPU and memory.
So you don't want to waste your resources applying it everywhere.
For example.
You don't need it from the LAN to the WAN or similar.

So

Let's say we have a security policy from the WAN to the DMZ.

So there we would like to scan traffic.

Set security policy from zone WAN to zone DMZ  policy  scan_traffic    match xxxxxxx

Set security policy from zone WAN to zone DMZ  policy  scan_traffic    THEN    application-services      idp

So on the traffic from WAN to DMZ    we  tell the SRX to wake up the application-service idp  and scan the traffic.

Now to scan the traffic, it will use the idp .
Since there is only one ACTIVE policy  called   idp_policy_name

 that is the policy it will call up

So to reiterate it.

Policy   has a THEN -->  the THEN will call up   application-services  idp  -->  which will use the active policy --> idp_policy name

Now to configuring the actual active policy.

So let's start with the exempt part.

Set security idp idp-policy    idp_policy_name        rulebase-exempt     

Set security idp idp-policy     idp_policy_name   rulebase-exempt rule 1a match source-address 11.11.11.0/24 

So here we matched up the source-address  of  our  sister company  and exempted them.

We can also be more granular and exempt only specific attacks.

Set security idp idp-policy     idp_policy_name   rulebase-exempt rule 1a match attacks  

attacks {

custom-attacks [ attack-name ];

predefined-attack-groups [ attack-name ];

predefined-attacks [ attack-name ];

So we can set up as many exempts as we want, each one will be a rule

Rule 1a   rule 2a  etc.

Now.
We finished the exempt stuff.
We can move to mark the stuff we WANT to scan.

Set security idp idp-policy     idp_policy_name   rulebase-ips     rule 1a match      from-zone/address/destination etc  attacks(if you want to be granular)

Now the scan here will result in an action which we must do. (in the exempt there was no action)

 THEN

Set security idp idp-policy     idp_policy_name   rulebase-ips     rule 1a then         now we have some options here.

1. Take ACTION      the normal action is recommended  (which is what the Juniper experts decided)
1. You can also take  no-action   
2. You can  drop-packet    -    # this means that If the next packet comes around it will reprocess it.
   this is good for UDP for example. That way you won't get a DDoS on your UDP traffic
   as each UDP could be different.
3. You can close-client       #  this will send the sender a  RST       an RST basically kills the connection
4. You can close-server     # this will send the  recipient  a RST
5. You can close-client-and-client      # this obviously sends that RST to both
6. You can mark-diffserv            # let's say you want that traffic to get a higher priority on DSCP

Again Juniper recommends the recommended action as the action to take.
Then they will decide what to do based on the attack.

2. Notification    here you can send it to syslog for example   

3. Set security idp idp-policy     idp_policy_name   rulebase-ips     rule 1a then    notification          log-attacks

The last big one is   ip-action    and then you can create logs, block that pool or what ever

So we made rules  , we made exempt rules    we  set up the active idp policy      and applied it to the  policy traffic.

Eh Voila.
No.
Sorry.
For IDP/IPS you have to pay an extra license.

The reason is that IPS signatures change over time and different attacks are created by crackers.

So Juniper charges you extra but in exchange you can download the signatures.
This is the same as the border police getting updates on new terrorists or criminals.

So first add the license.

This is done from the operational mode  which is the >  you have before the configure  #   so

• Request system license add          filename
• Show system license     will verify you added it.

• show security idp     security-package-version                                          checks what version you have.
• Request security idp    security-package  download   check-server      checks what version is available
  
   
• Request security idp    security-package  download   full-update       downloads it
• Request security idp    security-package  download   status                   checks how is the download going?

• Request security idp    security-package  install            so you donwnload it now you install it
• Request security idp    security-package  install   status                   checks how is the installation  going?

Ok, remember the recommended thing.  THEN   recommended , you need to update the recommendations too.
This is done by downloading what Juniper calls    templates.

• Request security idp    security-package  download   policy- templates       downloads templates
• Request security idp    security-package  download   status                   checks how is the download going?
• Request security idp    security-package  install  policy- templates       install templates
• Request security idp    security-package  install   status                   checks how is the installation going?

Ok god.

So add a license

Check to see you have it.

check the version you have

Check the version on the server

Download the full-update

Check the status of the download

Install the full-update

Check the status of the  installation

Download the policy-templates

Check the download

Install the policy-templates

Check the status of the install.

Show security idp status

Show security idp counters

Show security idp memory

Status will show it on

Counters will give you data.
and memory will show you how well the damn SRX is doing, this is good for DDoS.